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(54) Secure data processing method and system 

(57) The present invention relates to a secure data 
processing method and system which includes a central 
processing unit, an operating system (10) and a file sys- 
tem. 

The file system includes data which consists of pro- 
tected file entries included within directories of file en- 
tries. Each directory is made secure by having an asso- 
ciated digital directory signature stored with the directo- 
ry. At least some of the file entries are also protected by 
an associated digital signature. The data processing 
system has means to perform a checking algorithm 
which calculates authentic signatures. Access to the da- 
ta stored in the file system is only allowed if the authentic 
signature calculated by the system matches the signa- 
ture of the directory being accessed. Access to a file 
entry in the directory is allowed if the calculated signa- 
ture for the file entry matches the signature stored with 
the file entry. 

Each file entry signature is stored as an encrypted 
signature in association with a pointer to a key which is 
used to decrypt the signature. 
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Description 

The present invention relates to a secure data 
processing method and system and is of particular ap- 
plication to a financial terminal. 

A data processing system commonly has a central 
processing unit, an operating system and a file system, 
usually including a hard disk, for files to be accessed by 
the central processor unit under the control of the oper- 
ating system. All such computer systems rely on the 
software that, ultimately, controls the functions offered 
to the user- 
Software can be tampered with to allow an attacker 
to compromise the data processing system. Protection 
cannot be achieved by simply restricting the files that 
can be executed, or by encrypting the files on the hard 
disk. This is because the compromise may occur un- 
known to a legitimate user, or could be a deliberate 
fraud. 

It would be desirable to restrict access for updating 
files and to detect invalid changes in real time to prevent 
system compromise before damage can occur. 

It is therefore an object of the present invention to 
provide a method and a system for restricting access to 
files in a data processing system which can operate in 
real time. 

According to the present invention there is provided 
a method of accessing data in a file system of a data 
processing system which also includes a programmable 
central processor unit, and an operating system, the da- 
ta of the file system having a digital signature identifying 
the data, the method comprising the steps of performing 
a checking algorithm to calculate an authentic digital sig- 
nature for the data, reading the identifying digital signa- 
ture from the file system, comparing the authentic digital 
signature of the data with the digital signature read from 
the file system and accessing the file data in response 
to a match between the authentic digital signature and 
the digital signature read from the file system. 

Further according to the present invention there is 
provided a data processing system comprising a pro- 
grammable central processing unit, an operating sys- 
tem, and a file system for data which has a digital sig- 
nature to identify the data, the file system being provided 
with a file system driver including means to perform a 
checking algorithm to generate an authentic digital sig- 
nature, means to read the identifying digital signature 
from the file system and means to allow access to the 
data only in response to a match between the authentic 
signature of the data and the identifying signature. 

The invention will now be described, by way of ex- 
ample, with reference to the accompanying drawings in 
which: 

Figure 1 is a diagrammatic representation of a file 
system included in a data processing system ac- 
cording to the present invention and 
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Figures 2 and 3 are operating flow diagrams relating 
to the operation of the file system of Figure 1 . 

Referring first to Figure 1 , there is shown diagram- 

s matically a file system incorporated into a data process- 
ing system which includes a central processor unit, not 
shown, and an operating system 10 which runs applica- 
tions 11. The file system has a file system driver 12 
which is a part of the operating system 10. The driver 

10 12 is responsible for managing all the read and write 
operations to a disk drive 14 which includes a physical 
storage disk 15 on which the files are physically record- 
ed. The file system driver includes a number of functions 
which are represented diagrammatically by the block 

is 1 3. The functions included within the file system driver 
include an interface to the disk drive 1 4, a disk manager, 
a physical interface and cryptographic support. 

The file system is incorporated into a secure termi- 
nal in which it is not possible to make unauthorised mod- 

20 iflcations to the operating system to remove the file sys- 
tem driver 12. The files in the file system are structured 
in a fashion similar to other file systems in that they have 
a root directory which is the top of a tree structure which 
contains other directories. Each directory, including the 

25 root directory can contain files. 

Each directory has a directory name and a directory 
signature. One of the directories on the physical disk 1 5 
is shown schematically in Figure 1 as a convenient ref- 
erence to the contents of the directory. The schematic 

30 diagram in Figure 1 does not represent the physical 
character of the directory as will be well understood by 
those skilled in the art. Each directory may have a 
number of file entries from entry 1 to entry N. Each file 
entry has stored attributes including an attribute which 

35 is additional to those which are found on conventional 
file systems. The additional attribute is used to specify 
whether the tile entry is protected or not. 

If a file entry is not protected, then no further infor- 
mation respecting that file entry is stored on the disk 15. 

40 if, however, the file entry is protected, then a digital sig- 
nature identifying the file entry is stored together with a 
pointer which links to a public key in a public key direc- 
tory 16 stored on the disk 15. The public key directory 
1 6 has a flat structure because the same public key may 

^5 be used for file entries in more than one directory. The 
public keys are used to authenticate the file entries as 
will be explained. 

Referring now to Figure 2, an instruction 1 7 to check 
a directory results in step 18 being performed to read 

50 the directory name and the directory signature. All the 
directories are protected using a symmetric key check- 
ing algorithm such as MAC in the case of the DES algo- 
rithm. This prevents an unauthorised agency from 
changing the directory contents either by using a soft- 

55 ware driver or by removing the disk 1 5 to another loca- 
tion and altering it. The symmetric key must not be 
stored on the disk 15 but is kept in a secure location not 
accessible to the applications running on the system or 
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to outside agencies. This key is randomly generated by 
the file system driver when it is installed. 

After having performed the step 18, the correct au- 
thentic signature of the directory to be addressed is cal- 
culated by the file system in step 1 9 using the checking 
algorithm. The calculated authentic signature is com- 
pared with the recorded directory signature in step 20 
and if the signatures match in step 21 , the result is to 
return an indication that the directory is an authentic di- 
rectory. If not, an error is returned. 

In order to access a file an instruction at step 22 
results in traversing the path through which the directory 
including the file is authenticated in step 23. The file at- 
tributes of the file entry are read in step 24 and a deter- 
mination is made in step 25 whether the file is signed or 
not. If the file is not signed, an indication is returned to 
allow access to the file entry. If, however, the file is 
signed, the signature and the public key in the directory 
16 are both read in step 26. The signature of the file 
entry is decrypted in step 27 and the authentic digital 
signature tor the file entry is calculated in step 28 by 
means of the cryptographic support included within the 
functions of the file system driver 1 2 using an asymmet- 
ric key algorithm. A comparison is performed in step 29 
to determine whether the authentic signature matches 
the decrypted signature. If so an indication is returned 
to allow access to the file entry. If not an error indication 
is returned. 

It will be seen that when a protected file is opened 
by an application, it will be checked for integrity using 
the digital signature recorded with the file and the asso- 
ciated public key assigned to that file. These protected 
files cannot be written to in the normal fashion or they 
will fail their integrity check. The file system will prohibit 
writing to the file. 

A protected file can be exchanged for an equivalent 
protected file by supplying a new signed file, using the 
same public key, or by supplying an exchange message 
signed with the secret key partner of the existing public 
key and containing the new public key for the file. 

Protected files can be deleted by supplying the se- 
cure file system with a deletion message which has 
been signed by the secret key partner of the public key 
supplied with the file to be deleted. 

The file system is protected by a password mecha- 
nism, as will be described with reference to Figure 3, 
and the file system cannot be reformatted unless the 
password is supplied. The password is stored on the 
disk volume in an encrypted fashion using the symmet- 
ric key specified earlier. 

In Figure 3, a create secure file instruction 30 is fol- 
lowed by the step of creating a directory entry in step 
31 . The supplied signature for the file is stored in step 
32 and a determination is made in step 33 whether there 
is a new public key to be stored. If yes, a password for 
the public key list is got in step 34 and the password is 
checked in step 35. If not correct, an error return is 
made. If the password is correct, the public key which 


has been supplied is stored in the public key list, and a 
key link for the file entry is stored in step 37. 

If a new public key was not to be stored, the step 
33 leads directly to the step 37. From the step 37, the 
5 data is written to the disk in step 38 and a successful 
indication is then returned. 

Updates to the public key directory can either be 
accomplished automatically, when a new file is being 
added, or manually. In either case a password has to be 
entered to allow access to the directory. The password 
is not required when a file is being exchanged. The file 
system can be configured to allow only manual updates 
to the public key directory. In this case, when a new file 
is added, the system scans the directory for a public key 
matching that supplied with the file and adds the pointer 
reference. 

It will be apparent that a secure file system has been 
described which can protect directories and files from 
unauthorised changes. Some of the files may have no 
security requirements and be merely data files with no 
security implications. The protected files may be exe- 
cuted as programs or be loaded as dynamic link librar- 
ies. 


1. A method of accessing data in a file system of a 
data processing system which includes a program- 
me mable central processor unit, and an operating sys- 
tem, the data of the file system having a digital sig- 
nature identifying the data, characterised by the 
steps of performing a checking algorithm to calcu- 
late (19) an authentic signature for the data, reading 
35 the identifying signature from the file system, com- 
paring (20) the authentic digital signature of the data 
with the digital signature read from the file system, 
and accessing the file data in response to a match 
between the authentic digital signature and the dig- 
^0 jtal signature read from the file system. 


2. A method as claimed in claim 1 , wherein the data 
comprises a directory of file entries having a digital 
signature identifying the directory. 

45 

3. A method as claimed in claim 1 , wherein the data 
comprises one or more file entries within a directory 
of file entries, one or more of the file entries having 
an associated identifying digital signature. 

so 

4. A method as claimed in claim 3, wherein the direc- 
tory has a digital signature identifying the directory. 

5. A method as claimed in claim 3 or 4, wherein the 
55 file entries are each associated with an attribute in- 
dicating that the file entry is protected by an encrypt- 
ed digital signature and are each associated with a 
key, the method comprising reading (20) the signa- 
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ture for a file entry and decrypting (27) the signature 
by means of the associated key. 

6. A data processing system comprising a program- 
mable central processing unit, an operating system 
(10), and a file system for data which has a digital 
signature to identify the data, the file system being 
provided with a file system driver (12) including 
means to perform a checking algorithm to generate 
an authentic digital signature, means to read the 
identifying digital signature from the file system and 
means to allow access to the data only in response 
to a match between the authentic signature of the 
data and the identifying signature. 

7. A system as claimed in claim 6, wherein the file sys- 
tem is adapted to store the data in the form of a di- 
rectory of file entries which has a digital signature 
identifying the directory. 

8. A system as claimed in claim 6, wherein the file sys- 
tem is adapted to store the data in the form of file 
entries in a directory of file entries, one or more of 
the file entries having an associated digital signa- 
ture. 

9. A system as claimed in claim 8, wherein the file sys- 
tem is adapted to store a digital signature identifying 
the directory of file entries. 

10. A system as claimed in claim 8 or 9, wherein the file 
system is adapted to store each of the file entries 
in association with an attribute to indicate whether 
the file entry is protected by an encrypted digital sig- 
nature and in association with a key, the file system 35 
having means to decrypt each encrypted key using 
the associated key. 


10 


15 


20 


40 


45 


50 


55 


EP 0 849 658 A2 


11- 


APPLICATIONS 

1 

r 



10- 


FIG. 1 


OPERATING 
SYSTEM 


16 


1 


12- 


PUBLIC KEY 1 


PUBLIC KEY 2 


PUBLIC KEY N 


KEY LIST 
SIGNATURE 


L 


13 


FILE 
SYSTEM 
DRIVER 


INTERFACE 


DISK MANAGER 



V 

V 

X 

PHYSICAL 
INTERFACE 

CRYPTOGRAPHIC 
SUPPORT ! 








14 (PHYSICAL DISK) 


-15 


DIRECTORY 
NAME 

DIRECTORY 
SIGNATURE 

/ \ 

\ 

\ 

\ 

\ 

\ 

ENTRY 1 

ENTRY 1 
ATTRIBUTES 

ENTRY 1 
SIGNATURE 

ENTRY 1 
PUBLIC LINK 

ENTRY 2 

ENTRY 2 
ATTRIBUTES 

ENTRY 2 
SIGNATURE 

ENTRY 2 
PUBLIC LINK 

• 
• 
• 

• 
• 
• 

• 
• 
• 

• 
• 
• 

ENTRY N 

ENTRY N 
ATTRIBUTES 

ENTRY N 
SIGNATURE 

ENTRY N 
PUBLIC LINK 


EP 0 849 658 A2 


FIG. 2 

<\ 


CHECK 
DIRECTORY 


READ 
DIRECTORY 


I 


CALCULATE 
SIGNATURE 


-17 


-18 


-19 


COMPARE WITH 
DIRECTORY SIGNATURE 


20 




YES 


> 

RETURN OK 


RETURN 
ERROR 


OPEN FILE 


-22 


TRAVERSE PATH 
CHECKING DIRECTORIES 


-23 


READ FILE 
ATTRIBUTES 


-24 



RETURN OK 


READ SIGNATURE 
AND PUBLIC KEY 


•26 


DECRYPT 
SIGNATURE 


-27 


CALCULATE 
SIGNATURE ON FILE 


-28 



RETURN OK 


RETURN 
ERROR 


6 


EP 0 849 658 A2 



CREATE SECURE FILE 


1 

t 


CREATE DIRECTORY ENTRY 

1 

1 



STORE 
SUPPLIED SIGNATURE 


1 




30 


31 


FIG. 3 



ADD 
LINK KEY 


37 


WRITE DATA 
TO DISK 


• 38 


RETURN OK 


GET KEY 
LIST PASSWORD 


-34 



YES 


RETURN 
ERROR 


STORE SUPPLIED 
PUBLIC KEY 


36 


7 


